Infection Chain

This infection chain began with me visiting a decoy site used by the HookAds malvertising campaign. The decoy site is using an anti-Adblock solution for image banners and popunders. This anti-Adblock solution uses frontend and backend scripts (frontend_loader.js and backend_loader.php) that have to be hosted on the server.

The decoy site contains script for popunders:

The decoy site also contained a call for /popunder.php:

The PHP file located at the relative path returned the following script:

The function definition is called to write an iframe to a new DOM object containing: the “PopUnderURL” (nairolonia.info), statically-defined dimensions for the injected iframe, and the location of the resource at “nairolonia[.]info/banners/uaps?”.

nairolonia[.]info/banners/uaps? returns RIG’s pre-landing page:

You can see from the partial image above that the pre-landing page contains the URL for the RIG exploit kit landing page.

File System

During this infection the payload was dropped in %Temp% and was then copied to AppData\Local\Microsof\Windows:

Registry used for persistence:

There is a detailed report on LatentBot from FireEye which can be found HERE. The report shows how the GET requests for the .ZIP files are actually modules pretending to be ZIP files. These files are encoded data that are saved into the following subkeys located at HKCU\Software\Google\Update\network\secure: